Re: What to do about nologin(8)?

From: Andrey Chernov <ache_at_nagual.pp.ru>
Date: Wed, 25 Feb 2004 02:59:22 +0300
On Tue, Feb 24, 2004 at 10:27:58AM -0500, John Baldwin wrote:
> > Armoring nologin(8) is insufficient.

Yes.

> > In particular, as David Schultz pointed out, there are a lot
> > of home-grown nologin scripts out there that are potentially
> > vulnerable regardless of what we do with the "official"
> > nologin program.
> 
> Then do both. :)

People please be aware that it is not nologin problem at all, so please 
not touch nologin in this direction. F.e. any 3rd party shell from ports 
or any home-grown admin shells/scripts _generally_ suffer of this problem.

It means that login, telnetd, su etc. whatever log in and call shell
should be fixed to never pas LD_* variables to the shell. Don't pick one
particular shell (nologin) and think you are secure.

-- 
Andrey Chernov | http://ache.pp.ru/
Received on Tue Feb 24 2004 - 15:17:48 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:44 UTC